Carriers, Manufacturers Fail to Update Android Phones

WEBINAR:On-Demand

Android smartphones from Samsung, HTC and Motorola dominated a "Dirty Dozen" list of insecure phones because carriers were not pushing out OS updates in a timely manner.

Security firm Bit9 on Nov. 21 released its "Dirty Dozen" list of insecure smartphones. The list focused on Android smartphones because approximately 56 percent of Android phones in the marketplace are running out-of-date and insecure versions of the mobile operating system, Harry Svedlove, CTO of Bit9, told eWEEK.

Smartphone manufacturers Samsung, HTC, Motorola and LG are slow to upgrade these phones to the latest and most secure version of Android, Bit9 said in its report. The manufacturers are focused on pushing out the latest new models every few months, but users are generally locked into two-year contracts, Svedlove said. Wireless carriers and manufacturers don't bother to support users on older handsets because it's in their financial interest to have users keep buying new handsets, he said.

The most secure were the Samsung Nexus X, HTC Droid Incredible, Samsung Galaxy S2, HTC Sensation and the T-Mobile G2. Even though the Nexus is made by Samsung, Google controls the handset entirely, so Nexus owners receive updates almost instantly, Bit9 said. The T-Mobile G2 was originally launched with Froyo a year ago, but T-Mobile has pushed out several updates over the air to its users since then.

The Samsung Galaxy Mini was called out specifically because it was released in April with a version of Android that was already almost a year out-of-date. Instead of running Gingerbread (2.3.3 or 2.3.4), which was already available, Samsung launched the phone running the older Froyo (2.2), according to Bit9. Samsung took 316 days to patch the Galaxy Mini after Google released an Android update, and Motorola took 141 days to update the Droid X.

The goal of the list was not to gang up on Android, since "all operating systems have vulnerabilities," Svedlove said, noting that iOS has more reported issues than Android in the National Vulnerability Database. But the true test of security is how quickly and effectively the OS gets fixed, and that's where manufacturers and carriers are failing when it comes to Android, according to Svedlove.

The iPhone 4 and older models were given an "honorable mention" at No. 13 because, up until iOS 5 and the iPhone 4S, users had to physically connect their devices to a computer and launch a manual update. Practically no one ever docked their phones on the computer, and very few people ever bothered to download and install the various security updates issued by Apple, Svedlove said. The iOS 5 update, which gives users access to iCloud, was often the first time longtime iPhone owners had ever tried the update process. The over-the-air update process introduced in iOS 5 will make it much easier for iPhone and iPad owners to stay up-to-date from this point on, Svedlove said.